The SMTP protocol is used by email servers to transport emails between servers. By default, SMTP does not support encryption and emails are transmitted in plaintext. Servers configured to support email encryption over TLS will signal their support by the presence of the STARTTLS SMTP verb. TLS enabled servers will also send TLS encrypted emails with the STARTTLS verb when communicating with other TLS-capable servers. Just supporting STARTTLS does not automatically encrypt all incoming emails. The use of TLS is decided by the SMTP client and not the server.
Impact SMTP servers configured without TLS support will accept email over TCP port 25 in plaintext allowing attackers with privileged network positions to read and modify traffic.
If SMTP is not required to be exposed on the Internet, close the port or deny access via firewall rules. If SMTP is required, make sure that all mail servers support TLS and are configured with valid certificates. This allows SMTP clients to verify the authenticity of the server and provides confidentiality for the transferred email.
- sslyze_cli.py Fast and full-featured SSL scanner for Python 2.7. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers.
Command
sslyze_cli.py --starttls=smtp 192.168.1.222:25
Vulnerable Output
AVAILABLE PLUGINS
-----------------
CertificateInfoPlugin
SessionRenegotiationPlugin
OpenSslCcsInjectionPlugin
HeartbleedPlugin
HstsPlugin
FallbackScsvPlugin
OpenSslCipherSuitesPlugin
CompressionPlugin
SessionResumptionPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.1.222:25 => WARNING: SMTP STARTTLS not supported; discarding corresponding tasks.
SCAN COMPLETED IN 0.34 S
------------------------
Create a file with a list of servers one per line. Remember to add the port at the end.
Command
sslyze_cli.py --starttls=smtp --targets_in=ips.lst
Output
[apuente@centeotl ~] cat ips.lst
192.168.1.230:25
192.168.1.228:25
192.168.1.221:25
192.168.1.222:25
[apuente@centeotl ~] sslyze_cli.py --targets_in=ips.lst --starttls=smtp
AVAILABLE PLUGINS
-----------------
CertificateInfoPlugin
SessionRenegotiationPlugin
OpenSslCcsInjectionPlugin
HeartbleedPlugin
HstsPlugin
FallbackScsvPlugin
OpenSslCipherSuitesPlugin
CompressionPlugin
SessionResumptionPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.1.230:25 => 192.168.1.230
192.168.1.228:25 => 192.168.1.228
192.168.1.222:25 => WARNING: SMTP STARTTLS not supported; discarding corresponding tasks.
192.168.1.221:25 => WARNING: SMTP STARTTLS not supported; discarding corresponding tasks.
As you can see those that are missing SSL/TLS in their configuration will have a warning after the scan.